A user with a reader role can create, delete, update or set as bootable a volume while these operation should be forbidden for a reader role.
Create volume:
2023-05-18 09:39:58,891 90863 INFO [tempest.lib.common.rest_client] Request (ProjectReaderTests:test_create_volume): 202 POST https://10.208.192.88/volume/v3/894a4c630b5b4c57b1bfb27a435741d1/volumes 0.452s
2023-05-18 09:39:58,892 90863 DEBUG [tempest.lib.common.rest_client] Request - Headers: {'Content-Type': 'application/json', 'Accept': 'application/json', 'Openstack-Api-Version': 'volume 3.12', 'X-Auth-Token': '<omitted>'}
Body: {"volume": {"size": 1}}
Response - Headers: {'date': 'Thu, 18 May 2023 09:39:58 GMT', 'server': 'Apache/2.4.52 (Ubuntu)', 'content-type': 'application/json', 'x-compute-request-id': 'req-34b582fa-6cd7-473f-9d96-ac6958a2588c', 'content-length': '782', 'openstack-api-version': 'volume 3.12', 'vary': 'OpenStack-API-Version', 'x-openstack-request-id': 'req-34b582fa-6cd7-473f-9d96-ac6958a2588c', 'connection': 'close', 'status': '202', 'content-location': 'https://10.208.192.88/volume/v3/894a4c630b5b4c57b1bfb27a435741d1/volumes'}
Body: b'{"volume": {"id": "b9c8cba2-f416-4138-b5ba-d29ffd6c3363", "status": "creating", "size": 1, "availability_zone": "nova", "created_at": "2023-05-18T09:39:58.791840", "updated_at": null, "name": null, "description": null, "volume_type": "lvmdriver-1", "snapshot_id": null, "source_volid": null, "metadata": {}, "links": [{"rel": "self", "href": "https://10.208.192.88/volume/v3/894a4c630b5b4c57b1bfb27a435741d1/volumes/b9c8cba2-f416-4138-b5ba-d29ffd6c3363"}, {"rel": "bookmark", "href": "https://10.208.192.88/volume/894a4c630b5b4c57b1bfb27a435741d1/volumes/b9c8cba2-f416-4138-b5ba-d29ffd6c3363"}], "user_id": "fba59402055749e5b0af03eaddec771c", "bootable": "false", "encrypted": false, "replication_status": null, "consistencygroup_id": null, "multiattach": false, "attachments": []}}'
Delete volume:
2023-05-18 09:40:01,542 90863 INFO [tempest.lib.common.rest_client] Request (ProjectReaderTests:test_delete_volume): 202 DELETE https://10.208.192.88/volume/v3/894a4c630b5b4c57b1bfb27a435741d1/volumes/ae741c71-1372-4b82-9f2c-9548c42830b9 0.080s
2023-05-18 09:40:01,542 90863 DEBUG [tempest.lib.common.rest_client] Request - Headers: {'Content-Type': 'application/json', 'Accept': 'application/json', 'Openstack-Api-Version': 'volume 3.12', 'X-Auth-Token': '<omitted>'}
Body: None
Response - Headers: {'date': 'Thu, 18 May 2023 09:40:01 GMT', 'server': 'Apache/2.4.52 (Ubuntu)', 'content-length': '0', 'content-type': 'text/html; charset=UTF-8', 'openstack-api-version': 'volume 3.12', 'vary': 'OpenStack-API-Version', 'x-openstack-request-id': 'req-366fdaae-c21d-4b24-b0db-2ab6f2a7d8b9', 'connection': 'close', 'status': '202', 'content-location': 'https://10.208.192.88/volume/v3/894a4c630b5b4c57b1bfb27a435741d1/volumes/ae741c71-1372-4b82-9f2c-9548c42830b9'}
Body: b''
Update volume:
2023-05-18 09:40:27,100 90863 INFO [tempest.lib.common.rest_client] Request (ProjectReaderTests:test_update_volume): 200 PUT https://10.208.192.88/volume/v3/894a4c630b5b4c57b1bfb27a435741d1/volumes/7e46d088-63d7-4c8c-801e-2368941be202 0.132s
2023-05-18 09:40:27,100 90863 DEBUG [tempest.lib.common.rest_client] Request - Headers: {'Content-Type': 'application/json', 'Accept': 'application/json', 'Openstack-Api-Version': 'volume 3.12', 'X-Auth-Token': '<omitted>'}
Body: {"volume": {"description": "ProjectReaderTests-update_test"}}
Response - Headers: {'date': 'Thu, 18 May 2023 09:40:26 GMT', 'server': 'Apache/2.4.52 (Ubuntu)', 'content-type': 'application/json', 'x-compute-request-id': 'req-f8f7b1d8-e59c-49c1-9f35-0eb22f2486ca', 'content-length': '880', 'openstack-api-version': 'volume 3.12', 'vary': 'OpenStack-API-Version', 'x-openstack-request-id': 'req-f8f7b1d8-e59c-49c1-9f35-0eb22f2486ca', 'connection': 'close', 'status': '200', 'content-location': 'https://10.208.192.88/volume/v3/894a4c630b5b4c57b1bfb27a435741d1/volumes/7e46d088-63d7-4c8c-801e-2368941be202'}
Body: b'{"volume": {"id": "7e46d088-63d7-4c8c-801e-2368941be202", "status": "available", "size": 1, "availability_zone": "nova", "created_at": "2023-05-18T09:40:26.000000", "updated_at": "2023-05-18T09:40:27.000000", "name": "tempest-VolumeV3RbacBaseTests-Volume-2135280068", "description": "ProjectReaderTests-update_test", "volume_type": "lvmdriver-1", "snapshot_id": null, "source_volid": null, "metadata": {}, "links": [{"rel": "self", "href": "https://10.208.192.88/volume/v3/894a4c630b5b4c57b1bfb27a435741d1/volumes/7e46d088-63d7-4c8c-801e-2368941be202"}, {"rel": "bookmark", "href": "https://10.208.192.88/volume/894a4c630b5b4c57b1bfb27a435741d1/volumes/7e46d088-63d7-4c8c-801e-2368941be202"}], "user_id": "3beafdd264d54a1088bda13cbfe14a33", "bootable": "false", "en
crypted": false, "replication_status": null, "consistencygroup_id": null, "multiattach": false, "attachments": []}}'
Set as bootable volume:
2023-05-18 09:40:13,840 90863 INFO [tempest.lib.common.rest_client] Request (ProjectReaderTests:test_set_bootable_volume): 200 POST https://10.208.192.88/volume/v3/894a4c630b5b4c57b1bfb27a435741d1/volumes/ccca21d3-5056-4314-bfd6-04b0faf1ea0c/action 0.050s
2023-05-18 09:40:13,841 90863 DEBUG [tempest.lib.common.rest_client] Request - Headers: {'Content-Type': 'application/json', 'Accept': 'application/json', 'Openstack-Api-Version': 'volume 3.12', 'X-Auth-Token': '<omitted>'}
Body: {"os-set_bootable": {"bootable": true}}
Response - Headers: {'date': 'Thu, 18 May 2023 09:40:13 GMT', 'server': 'Apache/2.4.52 (Ubuntu)', 'x-compute-request-id': 'req-2a1ce6a4-c98b-40da-9b48-00970360d2f6', 'content-length': '0', 'content-type': 'application/json', 'openstack-api-version': 'volume 3.12', 'vary': 'OpenStack-API-Version', 'x-openstack-request-id': 'req-2a1ce6a4-c98b-40da-9b48-00970360d2f6', 'connection': 'close', 'status': '200', 'content-location': 'https://10.208.192.88/volume/v3/894a4c630b5b4c57b1bfb27a435741d1/volumes/ccca21d3-5056-4314-bfd6-04b0faf1ea0c/action'}
Body: b''
These issues were found while adding snapshot tests for srbac:
https://review.opendev.org/c/openstack/cinder-tempest-plugin/+/878672
The same user (reader) can also create/update volume metadata as well as update/delete volume metadata item.
create volume metadata:
2023-07-30 09:08:48,418 91159 INFO [tempest.
2023-07-30 09:08:48,419 91159 DEBUG [tempest.
Body: {"metadata": {"key1": "value1", "key2": "value2", "key3": "value3", "key4": "value4"}}
Response - Headers: {'date': 'Sun, 30 Jul 2023 09:08:48 GMT', 'server': 'Apache/2.4.52 (Ubuntu)', 'content-type': 'application/json', 'x-compute-
Body: b'{"metadata": {"key1": "value1", "key2": "value2", "key3": "value3", "key4": "value4"}}'
update volume metadata:
2023-07-30 09:09:16,833 91159 INFO [tempest.
2023-07-30 09:09:16,834 91159 DEBUG [tempest.
Body: {"metadata": {"key1": "value1", "key2": "value2", "key3": "value3", "key4": "value4"}}
Response - Headers: {'date': 'Sun, 30 Jul 2023 09:09:16 GMT', 'server': 'Apache/2.4.52 (Ubuntu)', 'content-type': 'application/json', 'x-compute-
Body: b'{"metadata": {"key1": "value1", "key2": "value2", "key3": "value3", "key4": "value4"}}'
update volume metadata item:
2023-07-30 09:09:20,355 91159 INFO [tempest.
2023-07-30 09:09:20,356 91159 DEBUG [tempest.
B...